blob: 4a2c15ffc7b7c959f1e936c8162ac62632207387 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
From 76c3c9fe9f3f1353b47214b8f98b3d7f53e10bc7 Mon Sep 17 00:00:00 2001
From: Mukund Sivaraman <muks@isc.org>
Date: Mon, 22 Feb 2016 12:22:43 +0530
Subject: [PATCH] Fix resolver assertion failure due to improper DNAME handling
(CVE-2016-1286) (#41753)
(cherry picked from commit 5995fec51cc8bb7e53804e4936e60aa1537f3673)
(cherry picked from commit 456e1eadd2a3a2fb9617e60d4db90ef4ba7c6ba3)
CVE: CVE-2016-1286
Upstream-Status: Backport
[Skipped CHANGES and doc/arm/notes.xml changes.]
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
CHANGES | 4 ++++
doc/arm/notes.xml | 7 +++++++
lib/dns/resolver.c | 33 ++++++++++++++++++---------------
3 files changed, 29 insertions(+), 15 deletions(-)
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 735f7d2..0602070 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6701,21 +6701,26 @@ answer_response(fetchctx_t *fctx) {
isc_boolean_t found_dname = ISC_FALSE;
dns_name_t *dname_name;
+ /*
+ * Only pass DNAME or RRSIG(DNAME).
+ */
+ if (rdataset->type != dns_rdatatype_dname &&
+ (rdataset->type != dns_rdatatype_rrsig ||
+ rdataset->covers != dns_rdatatype_dname))
+ continue;
+
+ /*
+ * If we're not chaining, then the DNAME and
+ * its signature should not be external.
+ */
+ if (!chaining && external) {
+ log_formerr(fctx, "external DNAME");
+ return (DNS_R_FORMERR);
+ }
+
found = ISC_FALSE;
aflag = 0;
if (rdataset->type == dns_rdatatype_dname) {
- /*
- * We're looking for something else,
- * but we found a DNAME.
- *
- * If we're not chaining, then the
- * DNAME should not be external.
- */
- if (!chaining && external) {
- log_formerr(fctx,
- "external DNAME");
- return (DNS_R_FORMERR);
- }
found = ISC_TRUE;
want_chaining = ISC_TRUE;
POST(want_chaining);
@@ -6744,9 +6749,7 @@ answer_response(fetchctx_t *fctx) {
&fctx->domain)) {
return (DNS_R_SERVFAIL);
}
- } else if (rdataset->type == dns_rdatatype_rrsig
- && rdataset->covers ==
- dns_rdatatype_dname) {
+ } else {
/*
* We've found a signature that
* covers the DNAME.
--
1.9.1
|